An error occurred:

Check: RD6X-00-011500

Redis Enterprise 6.x STIG: RD6X-00-011500 (in versions v1 r3 through v1 r1)

Title

Access to database files must be limited to relevant processes and to authorized, administrative users. (Cat II impact)

Discussion

Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.

Check Content

Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding. Review the directory contents and files and verify that the appropriate file permissions are set. Verify that the file owner and group is set to Redis Labs or a group defined per site requirements. To check permissions of log files (Note: This may vary depending on the installation path.): # /var/opt/redislabs/log To check persisted files from memory if they are being used run the following command (Note: This may vary depending on the installation path.) # ls -ltr /var/opt/redislabs/persist/redis/ To check the default file permissions to verify that all authenticated users can only read and modify their own files: # cat/etc/login.defs|grep UMASK Verify the value is set to 077 or an appropriate organizationally defined setting. Investigate the permissions on these files. If the permissions allow access by other, this is a finding.

Fix Text

Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": UMASK 077 Set the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting.

Additional Identifiers

Rule ID: SV-251247r879649_rule

Vulnerability ID: V-251247

Group Title: SRG-APP-000243-DB-000374

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001090

The information system prevents unauthorized and unintended information transfer via shared system resources.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-4

Information In Shared Resources